340 likes | 794 Views
Information Technology Audit. Association of Government Accountants – Boston Chapter 2014 Regional Professional Development Conference Bentley University March 13, 2014. With You Today. Geoff W. Clarke CISA CISSP Manager KPMG Advisory Services
E N D
Information Technology Audit Association of Government Accountants – Boston Chapter 2014 Regional Professional Development Conference Bentley University March 13, 2014
With You Today • Geoff W. Clarke CISA CISSP • Manager KPMG Advisory Services • Geoff has been with the firm for seven years and is a manager in the KPMG LLP Information Technology Advisory Services (ITAS) Practice. He has over 30 years of business experience in both the MIS and IT Audit disciplines. Prior to joining KPMG, Mr. Clarke worked for several Fortune 500 Companies where he held MIS and IT Audit executive positions including those of Global IT Audit Director and CIO of Asia Pacific Region MIS. As a CIO, he lived in Singapore and had responsibility for sales, manufacturing and supply chain MIS development and support of his employer’s sales, manufacturing and logistical operations in Greater China, Australia, Japan and S.E. Asia. • During his KPMG career, Geoff has provided assistance to private and public sector clients and has managed MIS Projects, IT Risk and Security Assessments, IT Auditing, SSAE16 examinations and IT controls over Financial Reporting. • gclarke@kpmg.com • (617) 998 1408
Agenda • IT Auditing – what, who and why • IT Control Frameworks and IT General Control Domains • IT Audit Challenges
What is IT Auditing? • Information systems or technology audit is a part of the overall audit process which is one of the facilitators of good organizational governance • While there is no single universal definition of IT audit, Prof. Ron Weber (author of “Information Systems Control and Audit”) defined it as "the process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently."
The IT Auditor • “Plans and participates in a broad internal auditing program, and in particular audits of an entity’s information technology functions to assure adherence to established entity policies and procedures and to offer constructive analysis and appraisal of the entity’s IT operations, its technology policies and procedures and systems of internal control”.
ISACA • ISACA is an international professional association focused on IT Governance. • It is an affiliate member of the Int’l Federation of Accountants(IFAC). • Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves . • ISACA was informally established in the US in 1967 and incorporated formally in 1969 as the Electronic Data Processing (EDP) Auditors Association • ISACA currently has over 110,000 constituents in 200 chapters located in more than 180 countries. • ISACA awards the certification of Certified Information Systems Auditor (CISA) following a successful examination result and 5 years of appropriate and recordable work experience. • Other ISACA certifications related to IT governance include Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), and Certified in Risk and Information Systems Control (CRISC)
IT Audit as a Career • A number of schools now offer undergraduate degrees in Information Technology Auditing, including Bentley University • There is a shortfall of trained and experienced IT auditors • IT Auditors can come from both IT and business/accounting backgrounds
Impact of Information and Information Technology • Information is a key resource for all enterprises. In some cases, it is all they produce. • Enterprises constantly collect or create information, use it, store it, share it and eventually destroy it. • Information Technology (IT) is a key enabler of the above. • IT is pervasive and ubiquitous in all areas of public and private enterprise, and personal life. • IT has the potential to dramatically change organizational and business operating models, create new opportunities and reduce costs. • High dependency on information requires that it be safeguarded from unauthorized access or misappropriation, have integrity and be made available when required. • Information value brings with it increased internal and external risks and threats of loss or compromise. • Increasing information risks and threats bring with it new statutory requirements specific to the management of information technology • The recognition that while “it is human to err, it requires a computer to really screw up”.
The role of IT in Enterprise operations • IT is a key enabler in supporting what organizations most want • to accomplish positive business outcomes • Achieving business goals • Meeting corporate governance responsibilities and legal requirements • Administering and managing business activity efficiently and cost effectively • to minimize business risk and avoid issues and problems • Business • Operational • IT • Statutory and legal
Examples of IT Objectives to be achieved and Risks to be mitigated • IT Objectives • Efficient and successful operations • Data integrity • Protected systems • Safeguarded assets • Data and system availability • Positive ROI • Competitive advantage • Enhanced reputation • Statutory Compliance • IT Risks • Information Loss (accidental or malicious) • Financial Reporting Errors • Loss of data and/or system integrity confidence • Computer fraud • System failure and downtime • Increased cost of operation • Inaccurate data = poor business decisions • Reputational loss • Compliance failure
Management’s Requirements from its IT Organization • Governance and Risk Management • Security and Confidentiality • Availability • Integrity • Efficiency and Effectiveness • Compliance • Managed cost and ROI
Management’s Objective What it has What it wants PROCESSES • Effectiveness • Efficiency • Confidentiality • Integrity • Availability • Compliance • Reliability INFORMATION IT RESOURCES • Applications • Data • Infrastructure • People
The role of IT Audit • To help meet Management’s objective, IT systems and processing environments need to be appropriately managed, controlled and periodically assessed to ensure that: • Organizational objectives that are dependant on IT are achieved • Systems and applications function as expected • Data and systems have integrity and are reliable • Adequate safeguards are in place to protect data, information and other IT resources from unauthorized access, disclosure or misappropriation • Systems, applications and their information assets are kept available for authorized persons • Federal, state and other statutory regulations are complied with
IT Controls – Achieving Objectives and Avoiding Risk To Avoid Risks, Threats and Exposures To Achieve Business Objectives Control (as defined by CobIT) The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. Source: COBIT Control Objectives.
Characteristics of Good Internal Control Environment • Well-defined operational control objectives • Appropriate supporting controls • Risk assessment and risk management • Policies, standards, defined expectations • Documentation • Competent and trustworthy people • Monitoring, measurement and evaluation
CobIT framework as a model for Enterprise IT Governance • CobIT = Control Objectives for Information and Related Technology • IT Audit’sCOSO cousin • First issued in 1997, CobIT5 published in 2012 is the latest iteration. Developed and maintained by ISACA and the ITGovernance Institute (ITGI). • Authoritative, up-to-date, international set of generally accepted IT control objectives and control practices for day-to-day use by business managers, IT organizations and auditors • The framework supports governance of IT by defining and aligning business goals with IT goals and IT processes. The COBIT components include: • Framework: Organize IT governance objectives and good practices by IT domains and processes, and links them to business requirements • Process descriptions: A reference process model and common language for everyone in an organization. The processes map to responsibility areas of plan, build, run and monitor. • Control objectives: Provide a complete set of high-level requirements to be considered by management for effective control of each IT process. • Management guidelines: Help assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes • Maturity models: Assess maturity and capability per process and helps to address gaps.
CobIT – Intended to be “all things to all people” • Business Management and User Community • IT Management and IT Organizations • IT Auditors • The Enterprise
Other IT Control Frameworks • Information Technology Infrastructure Library (ITIL) • Security Code of Conduct – DTI • Security Handbook – NIST • Federal Information Processing Standards (FIPS) • Organization for Standardization (ISO) 27001/2 (Security)
IT Auditor Areas of Interest • Business Information Characteristics and Information Management • IT Resources and Resource Management • IT Processes and Process Management
Information Characteristics • Effective • information should be relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent, usable and complete manner • Efficient • provision of information through the optimal (most productive and economical) use of resources • Confidential • protection of sensitive information from unauthorized disclosure. • Integrity • relates to the accuracyand completeness of information as well as its validity in accordance with business values and expectations • Available • requires that information be available when required by the business process now and in the future. • Compliant • compliance with those laws, regulations and contractual arrangements to which the business process is subject; i.e., externally imposed statutory or business criteria • Reliable • the provision of appropriate and accurate information to management to operate the entity and exercise its fiduciary and governance responsibilities.
IT Resources and Resource Management • IT resources need to be managed in order to provide organizations with type and quality of information required to achieve organizational objectives. Resources comprise: • Application Systems • are the automated user systems and associated manual procedures that process the information • Can be in-house or externally hosted (e.g. Software-as-a-Service applications) • Information • is data in all its forms that when compiled has intelligence and meaning. • Infrastructure and Facilities • is the technology (hardware, operating systems, database management systems, networking, multimedia, etc.), and the facilities that house and support it, that enable the processing of data through the applications • People • are the personnel required to plan, organize, acquire, implement, deliver, support, monitor and evaluate the information systems and services. They may be internal, contracted or totally outsourced as necessary
Information Processes and Process Management Natural grouping of processes, often matching an organizational domain of responsibility Domains Processes A series of joined tasks and activities with natural (control) breaks. Actions needed to achieve a measurable result. Activities have a life-cycle whereas tasks are discrete Tasks & Activities
3) Information Processes and Key General IT Control Domains • Domain 1 – IT Management, Planning, Organization and Risk Management • Domain 2 – Technical Infrastructure and IT Operational Practices • Domain 3 – Protection of Information Assets • Domain 4 – Disaster Recovery and Business Continuity • Domain 5 – Business Application Systems Development, Acquisition, Implementation and Maintenance
Domain 1 – IT Management, Planning, Organization and Risk Management
Domain 2 – Technical Infrastructure and IT Operational Practices
Domain 5 – Business Solution Systems Development, Acquisition, Implementation and Maintenance
What comprises a traditional IT audit? • The major elements of IT audit as defined by ISACA and laid out in CobIT can be broadly classified: • Physical and environmental review—This includes physical security, power supply, air conditioning, humidity control and other environmental factors. • System administration review—This includes security review of the operating systems, database management systems, all system administration procedures and compliance. • Application software review—The business application could be payroll, invoicing, a web-based customer order processing system or an enterprise resource planning system that actually runs the business. Review of such application software includes access control and authorizations, validations, error and exception handling, business process flows within the application software and complementary manual controls and procedures. Additionally, a review of the system development lifecycle should be completed. • Network security review—Review of internal and external connections to the system, perimeter security, firewall review, router access control lists, port scanning and intrusion detection are some typical areas of coverage. • Business continuity review—This includes existence and maintenance of fault tolerant and redundant hardware, backup procedures and storage, and documented and tested disaster recovery/business continuity plan. • Data integrity review—The purpose of this is scrutiny of live data to verify adequacy of controls and impact of weaknesses, as noticed from any of the above reviews. Such substantive testing can be done using generalized audit software (e.g., computer assisted audit techniques).
IT Audit Challenges • Inaccessible and untouchable computer solutions – Cloud based systems • Involvement at inception • Business owned and driven • Reliance on 3rd party service auditor reports • Year-to-year oversight • Remaining relevant • Effective vendor evaluations, e.g. FedRAMP • Statutory Compliance demands • Data lifecycle management • Keeping ahead of the curve - understanding new technologies, solutions and their risks • End user computing – the ubiquitous mobile device and its vulnerability • Acquiring and retaining qualified staff